<br><br><div class="gmail_quote">On Sun, Aug 26, 2012 at 1:55 AM, waldo kitty <span dir="ltr"><<a href="mailto:wkitty42@...14940..." target="_blank">wkitty42@...14940...</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<br>
what rule?<br>
<br></blockquote><div><br>Rule is something like this.<br><br>alert tcp  $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"Looking for POST"; flow:established,to_server; content:"POST"; http_method; content:"xxxxyyyyzzzzz"; sid: xxxxxxxx; rev:1) <br>
 </div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
do you have a pcap?<br>
<br></blockquote><div><br>I don't have a PCAP, however when I see the payload section of this alert in Base, I can clearly see that it is <br><br>GET xxxxyyyyzzzzz<br>host: <a href="http://aaaabbbbcccc.com">aaaabbbbcccc.com</a><br>
 </div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
------------------------------------------------------------------------------<br>
Live Security Virtual Conference<br>
Exclusive live event will cover all the ways today's security and<br>
threat landscape has changed and how IT managers can respond. Discussions<br>
will include endpoint security, mobile security and the latest in malware<br>
threats. <a href="http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/" target="_blank">http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/</a><br>
_______________________________________________<br>
Snort-users mailing list<br>
<a href="mailto:Snort-users@lists.sourceforge.net">Snort-users@...4626...ceforge.net</a><br>
Go to this URL to change user options or unsubscribe:<br>
<a href="https://lists.sourceforge.net/lists/listinfo/snort-users" target="_blank">https://lists.sourceforge.net/lists/listinfo/snort-users</a><br>
Snort-users list archive:<br>
<a href="http://www.geocrawler.com/redir-sf.php3?list=snort-users" target="_blank">http://www.geocrawler.com/redir-sf.php3?list=snort-users</a><br>
<br>
Please visit <a href="http://blog.snort.org" target="_blank">http://blog.snort.org</a> to stay current on all the latest Snort news!<br>
</blockquote></div><br><br clear="all"><br>-- <br>Regards,<br>Balasubramaniam Natarajan<br><a href="http://www.etutorshop.com/moodle/" target="_blank">www.etutorshop.com/moodle/</a><br><br>